diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-02-03 14:04:42 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-02-03 18:43:13 +0100 |
commit | 29fd6a1df9f6c80d155a7a73b8514a68dc9cd22d (patch) | |
tree | 9dc15a3e19a6ff36ae9ee3d38c7b8190b73f0a72 /include | |
parent | 16871a3615edcf358d688a8d079b1e7b20053fb1 (diff) | |
parent | 076fd1e66e7f1bc3b2bd91f3efb84080da26fb9c (diff) |
Merge branch 'master' into next-3.14
This patch includes changes to adapt this branch to the library
rename that happened in the master branch.
Conflicts:
src/Makefile.am
src/expr/cmp.c
src/expr/ct.c
src/expr/data_reg.c
src/expr/meta.c
tests/jsonfiles/01-table.json
tests/jsonfiles/02-table.json
tests/jsonfiles/64-ruleset.json
tests/xmlfiles/01-table.xml
tests/xmlfiles/02-table.xml
Diffstat (limited to 'include')
-rw-r--r-- | include/Makefile.am | 2 | ||||
-rw-r--r-- | include/libnftables/common.h | 20 | ||||
-rw-r--r-- | include/libnftnl/Makefile.am (renamed from include/libnftables/Makefile.am) | 0 | ||||
-rw-r--r-- | include/libnftnl/chain.h (renamed from include/libnftables/chain.h) | 13 | ||||
-rw-r--r-- | include/libnftnl/common.h | 33 | ||||
-rw-r--r-- | include/libnftnl/expr.h (renamed from include/libnftables/expr.h) | 6 | ||||
-rw-r--r-- | include/libnftnl/rule.h (renamed from include/libnftables/rule.h) | 13 | ||||
-rw-r--r-- | include/libnftnl/ruleset.h (renamed from include/libnftables/ruleset.h) | 13 | ||||
-rw-r--r-- | include/libnftnl/set.h (renamed from include/libnftables/set.h) | 18 | ||||
-rw-r--r-- | include/libnftnl/table.h (renamed from include/libnftables/table.h) | 13 | ||||
-rw-r--r-- | include/linux/kernel.h | 29 | ||||
-rw-r--r-- | include/linux/netfilter/nf_tables.h | 89 | ||||
-rw-r--r-- | include/linux/netfilter/nfnetlink.h | 5 | ||||
-rw-r--r-- | include/linux/netfilter/x_tables.h | 185 |
14 files changed, 384 insertions, 55 deletions
diff --git a/include/Makefile.am b/include/Makefile.am index 10332b7..5976bbd 100644 --- a/include/Makefile.am +++ b/include/Makefile.am @@ -1,3 +1,3 @@ -SUBDIRS = libnftables linux +SUBDIRS = libnftnl linux noinst_HEADERS = linux_list.h diff --git a/include/libnftables/common.h b/include/libnftables/common.h deleted file mode 100644 index 9cd92b2..0000000 --- a/include/libnftables/common.h +++ /dev/null @@ -1,20 +0,0 @@ -#ifndef _LIBNFTABLES_COMMON_H_ -#define _LIBNFTABLES_COMMON_H_ - -enum nft_output_type { - NFT_OUTPUT_DEFAULT = 0, - NFT_OUTPUT_XML, - NFT_OUTPUT_JSON, -}; - -enum nft_parse_type { - NFT_PARSE_NONE = 0, - NFT_PARSE_XML, - NFT_PARSE_JSON, - NFT_PARSE_MAX, -}; - -struct nlmsghdr *nft_nlmsg_build_hdr(char *buf, uint16_t cmd, uint16_t family, - uint16_t type, uint32_t seq); - -#endif diff --git a/include/libnftables/Makefile.am b/include/libnftnl/Makefile.am index a0841d2..a0841d2 100644 --- a/include/libnftables/Makefile.am +++ b/include/libnftnl/Makefile.am diff --git a/include/libnftables/chain.h b/include/libnftnl/chain.h index 8b4eab9..66626d8 100644 --- a/include/libnftables/chain.h +++ b/include/libnftnl/chain.h @@ -1,12 +1,12 @@ -#ifndef _LIBNFTABLES_CHAIN_H_ -#define _LIBNFTABLES_CHAIN_H_ +#ifndef _LIBNFTNL_CHAIN_H_ +#define _LIBNFTNL_CHAIN_H_ #include <stdio.h> #include <stdint.h> #include <stdbool.h> #include <sys/types.h> -#include <libnftables/common.h> +#include <libnftnl/common.h> #ifdef __cplusplus extern "C" { @@ -51,7 +51,10 @@ struct nlmsghdr; void nft_chain_nlmsg_build_payload(struct nlmsghdr *nlh, const struct nft_chain *t); -int nft_chain_parse(struct nft_chain *c, enum nft_parse_type type, const char *data); +int nft_chain_parse(struct nft_chain *c, enum nft_parse_type type, + const char *data, struct nft_parse_err *err); +int nft_chain_parse_file(struct nft_chain *c, enum nft_parse_type type, + FILE *fp, struct nft_parse_err *err); int nft_chain_snprintf(char *buf, size_t size, struct nft_chain *t, uint32_t type, uint32_t flags); int nft_chain_fprintf(FILE *fp, struct nft_chain *c, uint32_t type, uint32_t flags); @@ -79,4 +82,4 @@ void nft_chain_list_iter_destroy(struct nft_chain_list_iter *iter); } /* extern "C" */ #endif -#endif /* _LIBNFTABLES_CHAIN_H_ */ +#endif /* _LIBNFTNL_CHAIN_H_ */ diff --git a/include/libnftnl/common.h b/include/libnftnl/common.h new file mode 100644 index 0000000..f0c20f0 --- /dev/null +++ b/include/libnftnl/common.h @@ -0,0 +1,33 @@ +#ifndef _LIBNFTNL_COMMON_H_ +#define _LIBNFTNL_COMMON_H_ + +#include <stdint.h> + +enum { + NFT_PARSE_EBADINPUT = 0, + NFT_PARSE_EMISSINGNODE, + NFT_PARSE_EBADTYPE, +}; + +enum nft_output_type { + NFT_OUTPUT_DEFAULT = 0, + NFT_OUTPUT_XML, + NFT_OUTPUT_JSON, +}; + +enum nft_parse_type { + NFT_PARSE_NONE = 0, + NFT_PARSE_XML, + NFT_PARSE_JSON, + NFT_PARSE_MAX, +}; + +struct nft_parse_err; + +struct nlmsghdr *nft_nlmsg_build_hdr(char *buf, uint16_t cmd, uint16_t family, + uint16_t type, uint32_t seq); + +struct nft_parse_err *nft_parse_err_alloc(void); +void nft_parse_err_free(struct nft_parse_err *); +int nft_parse_perror(const char *str, struct nft_parse_err *err); +#endif diff --git a/include/libnftables/expr.h b/include/libnftnl/expr.h index 653bbb0..6ec05a6 100644 --- a/include/libnftables/expr.h +++ b/include/libnftnl/expr.h @@ -1,5 +1,5 @@ -#ifndef _LIBNFTABLES_RULE_EXPR_H_ -#define _LIBNFTABLES_RULE_EXPR_H_ +#ifndef _LIBNFTNL_RULE_EXPR_H_ +#define _LIBNFTNL_RULE_EXPR_H_ #include <stdint.h> #include <stdbool.h> @@ -154,4 +154,4 @@ enum { } /* extern "C" */ #endif -#endif /* _LIBNFTABLES_RULE_EXPR_H_ */ +#endif /* _LIBNFTNL_RULE_EXPR_H_ */ diff --git a/include/libnftables/rule.h b/include/libnftnl/rule.h index 86dbc17..4033d3c 100644 --- a/include/libnftables/rule.h +++ b/include/libnftnl/rule.h @@ -1,12 +1,12 @@ -#ifndef _LIBNFTABLES_RULE_H_ -#define _LIBNFTABLES_RULE_H_ +#ifndef _LIBNFTNL_RULE_H_ +#define _LIBNFTNL_RULE_H_ #include <stdio.h> #include <stdint.h> #include <stdbool.h> #include <sys/types.h> -#include <libnftables/common.h> +#include <libnftnl/common.h> #ifdef __cplusplus extern "C" { @@ -47,7 +47,10 @@ struct nlmsghdr; void nft_rule_nlmsg_build_payload(struct nlmsghdr *nlh, struct nft_rule *t); -int nft_rule_parse(struct nft_rule *r, enum nft_parse_type type, const char *data); +int nft_rule_parse(struct nft_rule *r, enum nft_parse_type type, + const char *data, struct nft_parse_err *err); +int nft_rule_parse_file(struct nft_rule *r, enum nft_parse_type type, + FILE *fp, struct nft_parse_err *err); int nft_rule_snprintf(char *buf, size_t size, struct nft_rule *t, uint32_t type, uint32_t flags); int nft_rule_fprintf(FILE *fp, struct nft_rule *r, uint32_t type, uint32_t flags); @@ -85,4 +88,4 @@ void nft_rule_list_iter_destroy(struct nft_rule_list_iter *iter); } /* extern "C" */ #endif -#endif /* _LIBNFTABLES_RULE_H_ */ +#endif /* _LIBNFTNL_RULE_H_ */ diff --git a/include/libnftables/ruleset.h b/include/libnftnl/ruleset.h index 1ec3059..6f89110 100644 --- a/include/libnftables/ruleset.h +++ b/include/libnftnl/ruleset.h @@ -1,5 +1,5 @@ -#ifndef _LIBNFTABLES_RULESET_H_ -#define _LIBNFTABLES_RULESET_H_ +#ifndef _LIBNFTNL_RULESET_H_ +#define _LIBNFTNL_RULESET_H_ #include <stdio.h> @@ -7,7 +7,7 @@ #include <stdint.h> #include <sys/types.h> -#include <libnftables/common.h> +#include <libnftnl/common.h> #ifdef __cplusplus extern "C" { @@ -30,7 +30,10 @@ void nft_ruleset_attr_unset(struct nft_ruleset *r, uint16_t attr); void nft_ruleset_attr_set(struct nft_ruleset *r, uint16_t attr, void *data); const void *nft_ruleset_attr_get(const struct nft_ruleset *r, uint16_t attr); -int nft_ruleset_parse(struct nft_ruleset *rs, enum nft_parse_type type, const char *data); +int nft_ruleset_parse(struct nft_ruleset *rs, enum nft_parse_type type, + const char *data, struct nft_parse_err *err); +int nft_ruleset_parse_file(struct nft_ruleset *rs, enum nft_parse_type type, + FILE *fp, struct nft_parse_err *err); int nft_ruleset_snprintf(char *buf, size_t size, const struct nft_ruleset *rs, uint32_t type, uint32_t flags); int nft_ruleset_fprintf(FILE *fp, const struct nft_ruleset *rs, uint32_t type, uint32_t flags); @@ -38,4 +41,4 @@ int nft_ruleset_fprintf(FILE *fp, const struct nft_ruleset *rs, uint32_t type, u } /* extern "C" */ #endif -#endif /* _LIBNFTABLES_RULESET_H_ */ +#endif /* _LIBNFTNL_RULESET_H_ */ diff --git a/include/libnftables/set.h b/include/libnftnl/set.h index 13ac857..7fa9fb2 100644 --- a/include/libnftables/set.h +++ b/include/libnftnl/set.h @@ -1,12 +1,12 @@ -#ifndef _LIBNFTABLES_SET_H_ -#define _LIBNFTABLES_SET_H_ +#ifndef _LIBNFTNL_SET_H_ +#define _LIBNFTNL_SET_H_ #include <stdio.h> #include <stdint.h> #include <stdbool.h> #include <sys/types.h> -#include <libnftables/common.h> +#include <libnftnl/common.h> enum { NFT_SET_ATTR_TABLE, @@ -60,7 +60,10 @@ struct nft_set *nft_set_list_iter_cur(struct nft_set_list_iter *iter); struct nft_set *nft_set_list_iter_next(struct nft_set_list_iter *iter); void nft_set_list_iter_destroy(struct nft_set_list_iter *iter); -int nft_set_parse(struct nft_set *s, enum nft_parse_type type, const char *data); +int nft_set_parse(struct nft_set *s, enum nft_parse_type type, + const char *data, struct nft_parse_err *err); +int nft_set_parse_file(struct nft_set *s, enum nft_parse_type type, + FILE *fp, struct nft_parse_err *err); /* * Set elements @@ -98,7 +101,10 @@ void nft_set_elem_nlmsg_build_payload(struct nlmsghdr *nlh, struct nft_set_elem int nft_set_elem_nlmsg_parse(const struct nlmsghdr *nlh, struct nft_set_elem *s); -int nft_set_elem_parse(struct nft_set_elem *e, enum nft_parse_type type, const char *data); +int nft_set_elem_parse(struct nft_set_elem *e, enum nft_parse_type type, + const char *data, struct nft_parse_err *err); +int nft_set_elem_parse_file(struct nft_set_elem *e, enum nft_parse_type type, + FILE *fp, struct nft_parse_err *err); int nft_set_elem_snprintf(char *buf, size_t size, struct nft_set_elem *s, uint32_t type, uint32_t flags); int nft_set_elem_fprintf(FILE *fp, struct nft_set_elem *se, uint32_t type, uint32_t flags); @@ -110,4 +116,4 @@ struct nft_set_elem *nft_set_elems_iter_cur(struct nft_set_elems_iter *iter); struct nft_set_elem *nft_set_elems_iter_next(struct nft_set_elems_iter *iter); void nft_set_elems_iter_destroy(struct nft_set_elems_iter *iter); -#endif /* _LIBNFTABLES_SET_H_ */ +#endif /* _LIBNFTNL_SET_H_ */ diff --git a/include/libnftables/table.h b/include/libnftnl/table.h index 1d2be07..56e7e35 100644 --- a/include/libnftables/table.h +++ b/include/libnftnl/table.h @@ -1,12 +1,12 @@ -#ifndef _LIBNFTABLES_TABLE_H_ -#define _LIBNFTABLES_TABLE_H_ +#ifndef _LIBNFTNL_TABLE_H_ +#define _LIBNFTNL_TABLE_H_ #include <stdio.h> #include <stdint.h> #include <stdbool.h> #include <sys/types.h> -#include <libnftables/common.h> +#include <libnftnl/common.h> #ifdef __cplusplus extern "C" { @@ -40,7 +40,10 @@ struct nlmsghdr; void nft_table_nlmsg_build_payload(struct nlmsghdr *nlh, const struct nft_table *t); -int nft_table_parse(struct nft_table *t, enum nft_parse_type type, const char *data); +int nft_table_parse(struct nft_table *t, enum nft_parse_type type, + const char *data, struct nft_parse_err *err); +int nft_table_parse_file(struct nft_table *t, enum nft_parse_type type, + FILE *fp, struct nft_parse_err *err); int nft_table_snprintf(char *buf, size_t size, struct nft_table *t, uint32_t type, uint32_t flags); int nft_table_fprintf(FILE *fp, struct nft_table *t, uint32_t type, uint32_t flags); @@ -68,4 +71,4 @@ void nft_table_list_iter_destroy(struct nft_table_list_iter *iter); } /* extern "C" */ #endif -#endif /* _LIBNFTABLES_TABLE_H_ */ +#endif /* _LIBNFTNL_TABLE_H_ */ diff --git a/include/linux/kernel.h b/include/linux/kernel.h new file mode 100644 index 0000000..d4c59f6 --- /dev/null +++ b/include/linux/kernel.h @@ -0,0 +1,29 @@ +#ifndef _LINUX_KERNEL_H +#define _LINUX_KERNEL_H + +/* + * 'kernel.h' contains some often-used function prototypes etc + */ +#define __ALIGN_KERNEL(x, a) __ALIGN_KERNEL_MASK(x, (typeof(x))(a) - 1) +#define __ALIGN_KERNEL_MASK(x, mask) (((x) + (mask)) & ~(mask)) + + +#define SI_LOAD_SHIFT 16 +struct sysinfo { + long uptime; /* Seconds since boot */ + unsigned long loads[3]; /* 1, 5, and 15 minute load averages */ + unsigned long totalram; /* Total usable main memory size */ + unsigned long freeram; /* Available memory size */ + unsigned long sharedram; /* Amount of shared memory */ + unsigned long bufferram; /* Memory used by buffers */ + unsigned long totalswap; /* Total swap space size */ + unsigned long freeswap; /* swap space still available */ + unsigned short procs; /* Number of current processes */ + unsigned short pad; /* explicit padding for m68k */ + unsigned long totalhigh; /* Total high memory size */ + unsigned long freehigh; /* Available high memory size */ + unsigned int mem_unit; /* Memory unit size in bytes */ + char _f[20-2*sizeof(long)-sizeof(int)]; /* Padding: libc5 uses this.. */ +}; + +#endif diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index 6a22a37..31ddd06 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -32,6 +32,25 @@ enum nft_verdicts { NFT_RETURN = -5, }; +/** + * enum nf_tables_msg_types - nf_tables netlink message types + * + * @NFT_MSG_NEWTABLE: create a new table (enum nft_table_attributes) + * @NFT_MSG_GETTABLE: get a table (enum nft_table_attributes) + * @NFT_MSG_DELTABLE: delete a table (enum nft_table_attributes) + * @NFT_MSG_NEWCHAIN: create a new chain (enum nft_chain_attributes) + * @NFT_MSG_GETCHAIN: get a chain (enum nft_chain_attributes) + * @NFT_MSG_DELCHAIN: delete a chain (enum nft_chain_attributes) + * @NFT_MSG_NEWRULE: create a new rule (enum nft_rule_attributes) + * @NFT_MSG_GETRULE: get a rule (enum nft_rule_attributes) + * @NFT_MSG_DELRULE: delete a rule (enum nft_rule_attributes) + * @NFT_MSG_NEWSET: create a new set (enum nft_set_attributes) + * @NFT_MSG_GETSET: get a set (enum nft_set_attributes) + * @NFT_MSG_DELSET: delete a set (enum nft_set_attributes) + * @NFT_MSG_NEWSETELEM: create a new set element (enum nft_set_elem_attributes) + * @NFT_MSG_GETSETELEM: get a set element (enum nft_set_elem_attributes) + * @NFT_MSG_DELSETELEM: delete a set element (enum nft_set_elem_attributes) + */ enum nf_tables_msg_types { NFT_MSG_NEWTABLE, NFT_MSG_GETTABLE, @@ -90,6 +109,7 @@ enum nft_table_flags { * enum nft_table_attributes - nf_tables table netlink attributes * * @NFTA_TABLE_NAME: name of the table (NLA_STRING) + * @NFTA_TABLE_FLAGS: bitmask of enum nft_table_flags (NLA_U32) */ enum nft_table_attributes { NFTA_TABLE_UNSPEC, @@ -104,8 +124,13 @@ enum nft_table_attributes { * enum nft_chain_attributes - nf_tables chain netlink attributes * * @NFTA_CHAIN_TABLE: name of the table containing the chain (NLA_STRING) + * @NFTA_CHAIN_HANDLE: numeric handle of the chain (NLA_U64) * @NFTA_CHAIN_NAME: name of the chain (NLA_STRING) * @NFTA_CHAIN_HOOK: hook specification for basechains (NLA_NESTED: nft_hook_attributes) + * @NFTA_CHAIN_POLICY: numeric policy of the chain (NLA_U32) + * @NFTA_CHAIN_USE: number of references to this chain (NLA_U32) + * @NFTA_CHAIN_TYPE: type name of the string (NLA_NUL_STRING) + * @NFTA_CHAIN_COUNTERS: counter specification of the chain (NLA_NESTED: nft_counter_attributes) */ enum nft_chain_attributes { NFTA_CHAIN_UNSPEC, @@ -126,8 +151,10 @@ enum nft_chain_attributes { * * @NFTA_RULE_TABLE: name of the table containing the rule (NLA_STRING) * @NFTA_RULE_CHAIN: name of the chain containing the rule (NLA_STRING) - * @NFTA_RULE_HANDLE: numeric handle of the rule (NLA_U16) + * @NFTA_RULE_HANDLE: numeric handle of the rule (NLA_U64) * @NFTA_RULE_EXPRESSIONS: list of expressions (NLA_NESTED: nft_expr_attributes) + * @NFTA_RULE_COMPAT: compatibility specifications of the rule (NLA_NESTED: nft_rule_compat_attributes) + * @NFTA_RULE_POSITION: numeric handle of the previous rule (NLA_U64) */ enum nft_rule_attributes { NFTA_RULE_UNSPEC, @@ -141,11 +168,22 @@ enum nft_rule_attributes { }; #define NFTA_RULE_MAX (__NFTA_RULE_MAX - 1) +/** + * enum nft_rule_compat_flags - nf_tables rule compat flags + * + * @NFT_RULE_COMPAT_F_INV: invert the check result + */ enum nft_rule_compat_flags { NFT_RULE_COMPAT_F_INV = (1 << 1), NFT_RULE_COMPAT_F_MASK = NFT_RULE_COMPAT_F_INV, }; +/** + * enum nft_rule_compat_attributes - nf_tables rule compat attributes + * + * @NFTA_RULE_COMPAT_PROTO: numerice value of handled protocol (NLA_U32) + * @NFTA_RULE_COMPAT_FLAGS: bitmask of enum nft_rule_compat_flags (NLA_U32) + */ enum nft_rule_compat_attributes { NFTA_RULE_COMPAT_UNSPEC, NFTA_RULE_COMPAT_PROTO, @@ -343,11 +381,26 @@ enum nft_bitwise_attributes { }; #define NFTA_BITWISE_MAX (__NFTA_BITWISE_MAX - 1) +/** + * enum nft_byteorder_ops - nf_tables byteorder operators + * + * @NFT_BYTEORDER_NTOH: network to host operator + * @NFT_BYTEORDER_HTON: host to network opertaor + */ enum nft_byteorder_ops { NFT_BYTEORDER_NTOH, NFT_BYTEORDER_HTON, }; +/** + * enum nft_byteorder_attributes - nf_tables byteorder expression netlink attributes + * + * @NFTA_BYTEORDER_SREG: source register (NLA_U32: nft_registers) + * @NFTA_BYTEORDER_DREG: destination register (NLA_U32: nft_registers) + * @NFTA_BYTEORDER_OP: operator (NLA_U32: enum nft_byteorder_ops) + * @NFTA_BYTEORDER_LEN: length of the data (NLA_U32) + * @NFTA_BYTEORDER_SIZE: data size in bytes (NLA_U32: 2 or 4) + */ enum nft_byteorder_attributes { NFTA_BYTEORDER_UNSPEC, NFTA_BYTEORDER_SREG, @@ -359,6 +412,16 @@ enum nft_byteorder_attributes { }; #define NFTA_BYTEORDER_MAX (__NFTA_BYTEORDER_MAX - 1) +/** + * enum nft_cmp_ops - nf_tables relational operator + * + * @NFT_CMP_EQ: equal + * @NFT_CMP_NEQ: not equal + * @NFT_CMP_LT: less than + * @NFT_CMP_LTE: less than or equal to + * @NFT_CMP_GT: greater than + * @NFT_CMP_GTE: greater than or equal to + */ enum nft_cmp_ops { NFT_CMP_EQ, NFT_CMP_NEQ, @@ -384,6 +447,13 @@ enum nft_cmp_attributes { }; #define NFTA_CMP_MAX (__NFTA_CMP_MAX - 1) +/** + * enum nft_lookup_attributes - nf_tables set lookup expression netlink attributes + * + * @NFTA_LOOKUP_SET: name of the set where to look for (NLA_STRING) + * @NFTA_LOOKUP_SREG: source register of the data to look for (NLA_U32: nft_registers) + * @NFTA_LOOKUP_DREG: destination register (NLA_U32: nft_registers) + */ enum nft_lookup_attributes { NFTA_LOOKUP_UNSPEC, NFTA_LOOKUP_SET, @@ -424,6 +494,14 @@ enum nft_payload_attributes { }; #define NFTA_PAYLOAD_MAX (__NFTA_PAYLOAD_MAX - 1) +/** + * enum nft_exthdr_attributes - nf_tables IPv6 extension header expression netlink attributes + * + * @NFTA_EXTHDR_DREG: destination register (NLA_U32: nft_registers) + * @NFTA_EXTHDR_TYPE: extension header type (NLA_U8) + * @NFTA_EXTHDR_OFFSET: extension header offset (NLA_U32) + * @NFTA_EXTHDR_LEN: extension header length (NLA_U32) + */ enum nft_exthdr_attributes { NFTA_EXTHDR_UNSPEC, NFTA_EXTHDR_DREG, @@ -648,10 +726,11 @@ enum nft_nat_types { * enum nft_nat_attributes - nf_tables nat expression netlink attributes * * @NFTA_NAT_TYPE: NAT type (NLA_U32: nft_nat_types) - * @NFTA_NAT_ADDR_MIN: source register of address range start (NLA_U32: nft_registers) - * @NFTA_NAT_ADDR_MAX: source register of address range end (NLA_U32: nft_registers) - * @NFTA_NAT_PROTO_MIN: source register of proto range start (NLA_U32: nft_registers) - * @NFTA_NAT_PROTO_MAX: source register of proto range end (NLA_U32: nft_registers) + * @NFTA_NAT_FAMILY: NAT family (NLA_U32) + * @NFTA_NAT_REG_ADDR_MIN: source register of address range start (NLA_U32: nft_registers) + * @NFTA_NAT_REG_ADDR_MAX: source register of address range end (NLA_U32: nft_registers) + * @NFTA_NAT_REG_PROTO_MIN: source register of proto range start (NLA_U32: nft_registers) + * @NFTA_NAT_REG_PROTO_MAX: source register of proto range end (NLA_U32: nft_registers) */ enum nft_nat_attributes { NFTA_NAT_UNSPEC, diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h index 91eebab..336c10c 100644 --- a/include/linux/netfilter/nfnetlink.h +++ b/include/linux/netfilter/nfnetlink.h @@ -97,4 +97,9 @@ extern void nfnl_unlock(void); MODULE_ALIAS("nfnetlink-subsys-" __stringify(subsys)) #endif /* __KERNEL__ */ + +/* Reserved control nfnetlink messages */ +#define NFNL_MSG_BATCH_BEGIN NLMSG_MIN_TYPE +#define NFNL_MSG_BATCH_END NLMSG_MIN_TYPE+1 + #endif /* _NFNETLINK_H */ diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h new file mode 100644 index 0000000..4120970 --- /dev/null +++ b/include/linux/netfilter/x_tables.h @@ -0,0 +1,185 @@ +#ifndef _X_TABLES_H +#define _X_TABLES_H +#include <linux/kernel.h> +#include <linux/types.h> + +#define XT_FUNCTION_MAXNAMELEN 30 +#define XT_EXTENSION_MAXNAMELEN 29 +#define XT_TABLE_MAXNAMELEN 32 + +struct xt_entry_match { + union { + struct { + __u16 match_size; + + /* Used by userspace */ + char name[XT_EXTENSION_MAXNAMELEN]; + __u8 revision; + } user; + struct { + __u16 match_size; + + /* Used inside the kernel */ + struct xt_match *match; + } kernel; + + /* Total length */ + __u16 match_size; + } u; + + unsigned char data[0]; +}; + +struct xt_entry_target { + union { + struct { + __u16 target_size; + + /* Used by userspace */ + char name[XT_EXTENSION_MAXNAMELEN]; + __u8 revision; + } user; + struct { + __u16 target_size; + + /* Used inside the kernel */ + struct xt_target *target; + } kernel; + + /* Total length */ + __u16 target_size; + } u; + + unsigned char data[0]; +}; + +#define XT_TARGET_INIT(__name, __size) \ +{ \ + .target.u.user = { \ + .target_size = XT_ALIGN(__size), \ + .name = __name, \ + }, \ +} + +struct xt_standard_target { + struct xt_entry_target target; + int verdict; +}; + +struct xt_error_target { + struct xt_entry_target target; + char errorname[XT_FUNCTION_MAXNAMELEN]; +}; + +/* The argument to IPT_SO_GET_REVISION_*. Returns highest revision + * kernel supports, if >= revision. */ +struct xt_get_revision { + char name[XT_EXTENSION_MAXNAMELEN]; + __u8 revision; +}; + +/* CONTINUE verdict for targets */ +#define XT_CONTINUE 0xFFFFFFFF + +/* For standard target */ +#define XT_RETURN (-NF_REPEAT - 1) + +/* this is a dummy structure to find out the alignment requirement for a struct + * containing all the fundamental data types that are used in ipt_entry, + * ip6t_entry and arpt_entry. This sucks, and it is a hack. It will be my + * personal pleasure to remove it -HW + */ +struct _xt_align { + __u8 u8; + __u16 u16; + __u32 u32; + __u64 u64; +}; + +#define XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _xt_align)) + +/* Standard return verdict, or do jump. */ +#define XT_STANDARD_TARGET "" +/* Error verdict. */ +#define XT_ERROR_TARGET "ERROR" + +#define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0) +#define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0) + +struct xt_counters { + __u64 pcnt, bcnt; /* Packet and byte counters */ +}; + +/* The argument to IPT_SO_ADD_COUNTERS. */ +struct xt_counters_info { + /* Which table. */ + char name[XT_TABLE_MAXNAMELEN]; + + unsigned int num_counters; + + /* The counters (actually `number' of these). */ + struct xt_counters counters[0]; +}; + +#define XT_INV_PROTO 0x40 /* Invert the sense of PROTO. */ + +/* fn returns 0 to continue iteration */ +#define XT_MATCH_ITERATE(type, e, fn, args...) \ +({ \ + unsigned int __i; \ + int __ret = 0; \ + struct xt_entry_match *__m; \ + \ + for (__i = sizeof(type); \ + __i < (e)->target_offset; \ + __i += __m->u.match_size) { \ + __m = (void *)e + __i; \ + \ + __ret = fn(__m , ## args); \ + if (__ret != 0) \ + break; \ + } \ + __ret; \ +}) + +/* fn returns 0 to continue iteration */ +#define XT_ENTRY_ITERATE_CONTINUE(type, entries, size, n, fn, args...) \ +({ \ + unsigned int __i, __n; \ + int __ret = 0; \ + type *__entry; \ + \ + for (__i = 0, __n = 0; __i < (size); \ + __i += __entry->next_offset, __n++) { \ + __entry = (void *)(entries) + __i; \ + if (__n < n) \ + continue; \ + \ + __ret = fn(__entry , ## args); \ + if (__ret != 0) \ + break; \ + } \ + __ret; \ +}) + +/* fn returns 0 to continue iteration */ +#define XT_ENTRY_ITERATE(type, entries, size, fn, args...) \ + XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args) + + +/* pos is normally a struct ipt_entry/ip6t_entry/etc. */ +#define xt_entry_foreach(pos, ehead, esize) \ + for ((pos) = (typeof(pos))(ehead); \ + (pos) < (typeof(pos))((char *)(ehead) + (esize)); \ + (pos) = (typeof(pos))((char *)(pos) + (pos)->next_offset)) + +/* can only be xt_entry_match, so no use of typeof here */ +#define xt_ematch_foreach(pos, entry) \ + for ((pos) = (struct xt_entry_match *)entry->elems; \ + (pos) < (struct xt_entry_match *)((char *)(entry) + \ + (entry)->target_offset); \ + (pos) = (struct xt_entry_match *)((char *)(pos) + \ + (pos)->u.match_size)) + + +#endif /* _X_TABLES_H */ |